Closed
Bug 397828
Opened 17 years ago
Closed 17 years ago
Make window.document not be allAccess
Categories
(Core :: DOM: Core & HTML, defect, P2)
Tracking
()
RESOLVED
FIXED
People
(Reporter: sicking, Assigned: sicking)
References
Details
(Keywords: dev-doc-complete)
Attachments
(1 file)
|
6.07 KB,
patch
|
jst
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
This should allow for a lot of security improvement since there would no longer be a way to hold a reference to a document from another domain. Though we'd need to also fix at least <iframe>.contentDocument too to deny accecss to documents from another origin.
This shouldn't break too many sites as microsoft already made the same change in IE7.
We should also make document.open not be allAccess as you shouldn't be able to get to such a document anyway.
Further, if we did this we could possibly make it so that document.open() wouldn't actually change the principal of the document it's called on. Though just to be safe we should add checks that made sure that the subject principal subsumes the object principal and bailing if that is not the case.
Flags: blocking1.9?
|
Assignee | |
Comment 1•17 years ago
|
||
Blake, at the very least, could we simply make the pref-change and change frame.contentDocument here?
bz: are there more APIs that you know of that could return cross-origin documents?
Assignee: nobody → mrbkap
Flags: blocking1.9? → blocking1.9+
|
||
Comment 2•17 years ago
|
||
Maybe some event targets in some cases? Probably not, though. So no, not that I know of.
|
|
||
Comment 3•17 years ago
|
||
Ah, correction. As things stand, XMLHttpRequest. But the access check story there is all screwed up anyway.
Also, a document can _become_ cross-origin even if it didn't start that way as a result of XMLDocument::Load(), no?
|
|
Assignee | |
Comment 4•17 years ago
|
||
Aw crap, forgot about document.load. But really, can't we keep the principal there too since we don't allow cross-origin loads (yet)?
What i'm trying to accomplish is that we never change the principal of an existing document. I'm not sure if there is that much value in that? Or if it's not really doable anyway?
|
||
Comment 5•17 years ago
|
||
(In reply to comment #4)
> I'm not sure if there is that much value in that? Or if it's
> not really doable anyway?
The value would be that we wouldn't have to wrap documents in XOWs.
|
|
||
Comment 6•17 years ago
|
||
Do we want to never change the principal? Or never change the origin?
We use principals for things like base URIs too in some cases, I believe... In fact, document.open might be such an example.
I think not changing the origin is quite feasible. We'd have to sort out what happens in the "subsumes but not same origin" case in terms of base URIs, and such.
|
|
||
Comment 7•17 years ago
|
||
Sorry, I was referring to never changing the origin.
|
|
Assignee | |
Comment 8•17 years ago
|
||
I was actually hoping to not change principal even, but that might be too much to hope for. The reason was that I had some vague recollection of bugs where we checked the principal in one place but used the object later, thereby opening up some sort of vector of attack. But it's entirely possible that it's not a real win in keeping the principal, and not changing origin would be quite enough.
In any case, we should do the best we can and eventually we'll see if there are security checks we can remove.
|
|
||
Comment 9•17 years ago
|
||
Blake and I talked a bit... Note that .domain changes the origin without changing the principal object. Any proposed setup has to handle that.
|
|
Assignee | |
Comment 10•17 years ago
|
||
Blake, is this just a matter of flipping the pref? Do we have a pref for iframe.contentDocument?
Assignee: mrbkap → jonas
Priority: -- → P2
|
|
Assignee | |
Comment 11•17 years ago
|
||
This seems to do it. I tested a few sites, including google maps, google calendar, and some news sites, and nothing seemed to be broken.
I'm sure we'll break a few sites, but I think it might be worth it given the security win here.
Attachment #290938 -
Flags: superreview?(jst)
Attachment #290938 -
Flags: review?(jst)
|
||
Comment 12•17 years ago
|
||
Comment on attachment 290938 [details] [diff] [review]
Patch to fix
- In nsHTMLDocument::OpenCommon():
NS_ASSERTION(nsContentUtils::CanCallerAccess(static_cast<nsIDOMHTMLDocument*>(this)),
>+ "XPConnect should have cought this!");
Typo, "caught", and given that our scriptable helpers override the XPConnect method, it's XOW that should catch this.
r+sr=jst
Attachment #290938 -
Flags: superreview?(jst)
Attachment #290938 -
Flags: superreview+
Attachment #290938 -
Flags: review?(jst)
Attachment #290938 -
Flags: review+
|
|
Assignee | |
Comment 13•17 years ago
|
||
Seems like somehow this patch caused documents to not be bfcached
|
|
Assignee | |
Comment 14•17 years ago
|
||
test_bug310107.html failed with the "Prop still 2 because we're in bfcache" test failing. And a pile of chrome tests got the wrong events (load instead of pageshow etc)
|
|
||
Comment 15•17 years ago
|
||
That's odd. Can you step through CanCachePresentation and see what's up?
|
|
Assignee | |
Comment 16•17 years ago
|
||
The extra weird thing is that this seemed to only happen on the mac tinderbox. However I don't fully trust the times on tinderbox so it's possible that the windows and linux boxes didn't have the patch.
|
|
||
Comment 17•17 years ago
|
||
For what it's worth, I just hit the same issue, also on only the Mac box, when I checked in the patch for bug 401496....
I wonder what the deal there is.
|
|
||
Comment 18•17 years ago
|
||
Er, bug 401946
|
|
Assignee | |
Comment 19•17 years ago
|
||
So it seems like that box simply randomly fails to use fastback :( I filed bug 406532 for that.
Marking this bug fixed.
For the record, we are aware that this might break some sites. However IE7 has already made the same change so hopefully very few sites are still relying on this. The reason we're doing this is extra levels of security. We have had bugs relating to the now disabled functions in the past, and it's possible that it could happen in the future.
Keywords: dev-doc-needed
|
|
Assignee | |
Updated•17 years ago
|
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
|
||
Updated•17 years ago
|
Flags: in-testsuite?
|
||
Comment 20•17 years ago
|
||
added a note to http://developer.mozilla.org/en/docs/DOM:window.document mentioning this change.
Keywords: dev-doc-needed → dev-doc-complete
|
|
Assignee | |
Comment 21•17 years ago
|
||
Could you also add a note to
http://developer.mozilla.org/en/docs/DOM:document.open saying that this method is as-of-firefox3 subject to the same same-origin policy used for other properties. Partially to make it easier to find, partially because you can actually still get hold of another windows document using iframeelement.contentDocument, and so the call to .open might be the one that actually fails.
Keywords: dev-doc-complete → dev-doc-needed
|
||
Comment 23•16 years ago
|
||
This fix will cause window.document to always fail permission when reading a local html file. That is, if document.domain is the empty string, window.document will fail for all newly created windows. This is not an issue if the file is read through a local server (i.e. http://127.0.0.1/...). It is only an issue when the html is read as a file (i.e. file:///...).
This occurs on windows and linux machines.
Since it appears that nsContentUtils::CanCallerAccess(frameElement) is the call which is failing for local files, this issue may affect other aspects of DOM when using local files.
|
|
Assignee | |
Comment 24•16 years ago
|
||
Please file a separate bug and mark it blocking this one (that's how we track regressions in bugzilla). And attach a testcase to that bug.
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•